Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: How can we check EDR logs for signs of Log4J Exploitation Attempts to the EDR Server?

EDR: How can we check EDR logs for signs of Log4J Exploitation Attempts to the EDR Server?

Environment

  • EDR Server: 7.5.2 and lower

Question

  • How can we check attempts to use the Log4J exploit on our EDR servers?

Answer

  • Our Product Security Team mentions that SOLR is not publicly exposed by default and that input is escaped before making it to SOLR.  In the interest of our customer base we decided to patch and remediate as soon as we could to avoid taking any chances.
  • Below is an example in the /var/log/cb/nginx/access.log log file of an attempt to exploit:
User-added image
  • Checking for this can be done on the EDR Server terminal via: 
grep -rni /var/log/cb/nginx/ -e 'jndi'

 

Additional Notes

  • Please make note, this command is an attempt and not an indicator of compromise. The attempt is blocked by Nginx and is not allowed to go further into the system
  • Please make sure you have the mitigations in place to protect your system. EDR: How to add the Log4j Mitigation

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎12-14-2021
Views:
311
Contributors